Tokens Leaked In Logs
Description
Verbose logging in development or third‑party libraries can write access/refresh tokens, API keys, or PII into device logs or analytics streams. Other apps, connected debuggers, or malware can harvest these values and replay them.
Examples
Find Secrets In Logcat (Android)
adb logcat | rg -i "(access[_-]?token|authorization|bearer|api[_-]?key|refresh[_-]?token)"
If tokens appear, they can be copied and used in API calls.
iOS Device/System Logs
On simulators or devices with developer tools, search for sensitive headers:
log stream --predicate 'eventMessage CONTAINS[cd] "Authorization"'
Remediation
- Eliminate sensitive logging
- Remove tokens/PII from logs; use structured logging with redaction.
- Separate debug vs release
- Disable verbose logs and analytics in release builds; add CI checks blocking
Log.d/NSLogwith secrets.
- Disable verbose logs and analytics in release builds; add CI checks blocking
- Backend detection
- Detect tokens observed from unusual sources/IPs and revoke/rotate proactively.